On the heels of two real Flash Player security updates being distributed by Adobe Systems this week, hackers are spreading a fake update for the media player via a scam on Facebook that has exposed at least 5,000 users to the threat.

In the past week, Adobe has released two security updates that address newly discovered or zero-day flaws affecting the latest versions of Flash Player. One went out in the middle of last week and another was released over the weekend to address a separate flaw. Both updates addressed bugs that hackers were actively exploiting and prompted a fair amount of news coverage and concern from security experts.

But as Adobe whisked out a patch to protect its users from the latest threat, hackers began spreading a fake Flash Player update through a three-day Facebook scam beginning Friday that attempts to install a backdoor that can be used to install other malware.

While the attack is not particularly sophisticated in that it relies on trickery rather than exploiting a software flaw, BitDefender, the security firm that uncovered the Facebook campaign, said the hackers lured more than 5,000 Facebook users to their attack page within one hour.

The hackers are targeting the social network’s users by tagging would-be victims in photos that purport to be racy videos. In a nutshell, they’re abusing Facebook’s tag system to capture the attention of users and then lead them to a web page outside of the social network. From there, with the promise of a porn video, users are encouraged to install a fake Flash Player update that is actually malware.

There are a number of tell-tale signs that the promised videos are suspicious. For one, the tag comes from someone outside the target’s list of friends. Secondly, the URL at the bottom of the still-frame is a link from Google’s URL shortening service and not YouTube. Third, anyone who clicks on the supposed video is sent to a web page outside of the social network.

That page which visitors land on assesses the browser and the OS being used by visitors, with checks for Windows desktops, Android smartphones, Sony PlayStation consoles, media players, smart cars, TV sets and older feature phones. The hackers serve up a different threat for each platform.

According to Bogdan Botezatu, a senior threat analyst at Bitdefender, people visiting the site from a ‘low-interaction terminal’ — that is, one that Flash Player does not support — are directed to a bogus but premium-priced SMS service.

Windows users however “get the full service”, which leads to the fake Flash Player update. This includes “a redirect to a fake Facebook page where you are prompted to download a so-called Flash Player update in order to be able to watch the video, which now turns out to be a spicy one rather than what was promised in the original Facebook post, ” he noted.

Botezatu said the fake Flash update is actually an SFX file (a self-extracting executable archive built with WinRar) that installs two pieces of malware once clicked upon: one is the backdoor and the other is used to spread the scam on Facebook accounts through PCs that have been compromised.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.